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Washington, D.C. 20231 
Sir: 

I, Allan Brett of 177 Cameron Street, Ottawa, Ontario, Canada, K1S 0X4 make oath and say: 

1 . I am a patent agent with the firm of Smart & Biggar, and have been involved in the 
preparation and prosecution of the above-noted application. 

2. Attached as Exhibit "H" to this Declaration is a photocopy of a facsimile received on 
February 17, 2000 from the inventor Ray Cheng. The facsimile provides information for the 
preparation of the patent application for the present invention. Please note that Exhibit "H" 
refers to the same document as Exhibit "A" to Ray Cheng's Declaration Under 37 CFR 
1.131, but the body of the facsimile is also enclosed, this showing the details of the invention 
as contemplated at that time. 
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I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these 
statements were made with the knowledge that wilful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States 
Code and that such wilful false statements may jeopardize the validity of the application or any 
patent issued thereon. 



Respectfully submitted 




Dated: fev f % , 2004 



Ottawa, Ontario, Canada 
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Visit our Web site at: www.entrust.com 



Phone: 

Facsimile: 

Date: 



23 2 -2.4rS L 



To: 41/}^ RRETT 



Company: 



Pages to Follow: 



From: R C tVlz^ ^ ~ ^ ^ 



Message 




Entrust Technologies Facsimile: 613 247 3690 

This facsimile transmission is intended only for the use of individual or entity to ^*hich it is addressed and may 
contain information ^hich is privileged and confidential. If the reader of this message is not the intended recipient 
or the employee responsible for delivering this communication to the intended recipient, you are hereby notified tha 
any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by telephone to arrange for its return. Thank you. 



ZZ2-d 01/10 d OW-1 



069E-2VZ-E19 
10 d 



S3I3010NHD31 lSnaiNB-flOdd VQ:£l 00-2l-91d 
069E in £19 8S = El 00-2l-83d 




Entrust Technologies 

Multi-Domain Single Sign-On 

Author Ray Cheng 

Date: January 25, 2000 

Versron* 0 2 



\ 




© Entrust Technologies 2000 
The data herein are not to be used or disclosed without the consent of Entrust 

Technologies 

NOT to be distributed outside Entrust Technologies without a non- 
disclosure agreement. 
Entrust Technologies Proprietary and Strictly Confidential 
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Added support f 0 r custom page and servfet settings 
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1 Problem of multi-domain single sign-on (MDSSO) 

1.1 The problem and the solution 

Solvins Ihe MDSSO problem is really about bypassing the security in the cookie handling mechanism 
which prevents one & ite/dom» n from reading or modifying cooW.es that are used by .mother sitc/dom.nn 

The solution needs to bypass enough of the cookie security to iltow domains - in a family of trusted 
doww't" - to copy cookies generated by one domain into the cookie jars of the other domains at the 

browser 

Smce ihc *>»ut.un is about shying cnokies among multiple domains, we should keep the product which 
solves the MDSSO problem as general as possible and not introduce any dependencies on SecurcControl or 
SSO. 

1.2 Baking cookies 

The following *hows what happens to a browser's cookie jars when he visits a SccureControl protected 
URL at www~jpmorgan com and i* successfully authenticated and authorized: 



htfp /Aaww.jp morgan com/ 

MS protectedURL 

±1J - m 



£fe www.Jpmorgan.coTn 
webserver 



fpmorxonxoto 



morjtanmarkPts. com 



adr.cnm 



www.morganmarkets.com 
webserver 



www.adr.com 
webserver 
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. i id t on either www morsanmarkcts.com or www.adr.cotn He will need to 

either one of these sites 

T., ach.eve MDSSO- «c want alt h.s cookie jars to be filled w*h the SecureControl SSO cookie after his 

initial vi*it to www jpmor^an com- 



http./Awww jpmorgan.cowi' 

protectedURL 9$ 



www.Jpiriorgatt.coni 
webserver 



.jpmo rgttn. co m 








.itttftga nntatkctb.com . 












rtiu^t-*c«inn-vt)0lh-x74b 

1 _ 





www.morganmarketfi.com 
webserver 



www.adr.com 
webserver 



tf we do this when he next visit, b greeted URL on www margdnimrkefc com or www adr corti, he will 
need to ^theVcate since Z v,hd ScCUreC-tro! SSO cook, would be sent along with h* request. 
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2 Putting cookies into forbidden jars 

Some methods which may be employed to wtt cookies from one domain mto the cook.c jars of other 

domains 

1 Enable data tainting at the client and the webserver return 9 client-Id. script which writes the 
SSO cookie into the cookie Jar of the other domains. Unfortunately. th.s d-sablcs cook.e security for 
all sites and works only for some versions of Netscape Navigator. 

2 Webserver sends a signed client-s.de script which -rite, the 5SO cookie into the cookie Jar of the 
' other domains. This solution probably causes more problems than ,t solves since there is no 

content standard for handling signed scripts among browsers and some browser versions do not 
handle signed scripts at all The actual s-gning of scripts and ma.ntenancc of keys and certificates is 
another major administration issue 

3 After rete.vin B a SSO cookie, have the client visit nil the other domains in the MDSSO family 
and get the other domains to echo back the SSO cookie into their corresponding "Kitae jar st 
b^scr. Tta .'the only pmt.cal solution s.nce ,t requ.rcs only basic features of the rtTTP and uses 
web content that -s understood by most browsers The rest of this document will exarmne the mechamcs 
of achieving this coohe muting us'ng cUem-side Javascript in more details. 



' Although it is s.mplcr to Populate the various cook.e jars wth redirects and pass the «v 
infnmwnon alon* ... the parameter pori-on of the URL. incons.stcnt limits .mposed by webservers and 
browsers on .he maximum s^e of ihc URL parameters make th.s impractical 
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3 Cookie routing using client side Javascripts 

3.1 Step-by-step wa/fc through 



.jpittorgan. cnm 



mnrgantnarkett.com 



^ httD.//www ipmorgan.com/orotec*edURL 



4r dynamic content (GET) from serviet/tndsso 



-» POST fprm to servleVrndsSO ^ g 
dynamic content (POST) from mdsSO 



POST fprm to /servlel/ndfrSO ™ 




www.jpmorgdn.com 
webserver 



www.morganmarkets.com 
webserver 



www.adr.com 
webserver 



4- redirect to www iomorgan.com/CustornLogonPage 



1 . User requests protected 1 IRL for the fir* rime o" ^vwipmor^ n com. 

2 SecurcConrtol plugin detect, that the UP L ■* protected and redirects the user to the form authentication 
page 

3 t iscr submits his usemamc/password via the form 

4 SecureControl plumn 3lithenticaics user If authenticated and author red redirects user to the 
ScessW logon p!ge (e g /.crvletyrndssn) In this case, the successful logon page a scrvltf which 
permrms the MDSSO. 

what doe? the EnableMDSSO set-vlet do? 

a Check tor a MDSSO cookie 

The MDSSO cookie tnav conta-n the follo-nng .nfbrmation The data that goes in the cookie is a 
bit up <n the air n 5 ht no^. H may not b* »eccwi> to have coohc at all depending nhtch 
cnnfijniration xcttinz^e »>oM ul each wbiCrccr _ 
• tTme of last M DSSO - thi* .s lu used to ensure that MDSSO is refreshed only after a 

configurable period has passed since the last MDSSO and to keep us from going m circles 
passing cookies ground 
. domain, .n the MDSSO family that have been refreshed - this may not be necessary 

depend..* on how * c want to configure the different webservers For example^ ,f we store at 
each webserver the *** s.te in the domain family rather than the Itst of sites -n the domain 
family then wc may not need to store this information in the MDSSO cookie 



:,n this walk through, serves are used as the vehicle for 

be replaced by other means of dynamic content generation such as CGls. ASPs and JSPsA bug in 
be r ^^.^ nect , y cncode y cookie nan ,es and contents prevents it from being used however 



encmc w * 
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b Generate a cl.cm-side javascript that run when the HTML <BODY> « loaded by the client 

document., for-r^ro- - submit:); 
* /hcad^ 

c Lmbed a hidden form with the hidden values. 

l-od-"po- * " ..-r.:on=' , http //www.morganmark.ctsxorn/servlct/^ 

V'£ut ^o-"V^en" na^=-tocGpr Ve r" Vfl i U e-"«ww. 3 pn.org«n. com > 
-input type^lcH—-** nome-'^^o" v 6 iu=="www jpmorgon - com" > 

• The http /Zw^ rnoreanmarlcets com/servlet/mdsso value is derived from the serlvet properties 
at the webserver This is the URL that the fbnn data will be posted to 

♦ The value for "etssoc" is the SccureControl SSO eookie extracted from the request header. 
. The value for "homeServcr" and "homeURL" tells us which server the MDSSO process began 

and the page thai we want to end up at when the MDSSO process is over These arc servlet 
properties set at each MDSSO server. 
. The value For "mdsso ' <s a list of domain which have been v, S ited .n this case - what wc want 
to put is this cookie is ^ot yet final at thts point 

Bro-er teec-es dvnarmc content generated by /servlet/md.so fGCT) it runs the function doMDSSOO 
and post the form data tn the next server in the MDSSO family 
fhirp:/ 'www morganmarkets-com/scrvlet/md^o in this example). 

6. The mdsso servlet at www morganmarkcrs.com compares: 
a the server that the client will po*t to next 
b and the hoineServer in rhe post data 

Since the t**« vah.es arc different, the mdssn servlet generates the dynamic content similar to the mdsso 
serllet at www ,pmorgan com The exception is that the next client side post will be to 
http //www.adr com/servlet/mdsso. 

7 Tht mdsso servlet at www.adr com compares 
c the server that the chent will post to next 
d and the homeScrver in the post data 

S.ncc the two values arc the same. u sends a redirection header back to to chent and the client see, the 
Cusiotnl .ogonPage at the server that was -n-tially v.s.ted 
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P roperty 



mdsso.next server , 
mdsso.nevt un 



mdsso homcscryer 



webserver 



WWW. 

jj-i morf y fln.tom 
"www mnrganmarkets com 



/servlet/mdsso_ 



www jprnorgan com 
' /CustomLogqrjPage_ 



v*wm. morpanmarket5.com 



www.adr com 



/servlct/mdsso 



www morga nm arkcts com 



/CustomLozonPagc 



www.jpTTioTgan com 
/setvlct/mdsso 
www. adr com 

/CustomLo&onPagc 



Wc may also have ? omc settings (i c name, path, expiry 
decide tn use one. 



and domain) for the MDSSO cookie should we 
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Thursday. February 1 7. 2000 

Broader concepts for patenting the MDSSO 
technology 

One wj« to v,o» the invention i< as a method to transfer data across a series of communications dev.ces 
("est. acr"ss a sei ies of servers, without any direct server-server communication) 

Another w ay to v. cw the invention ■* as a method to transfer data from t«n or more servers into a browser 
fc y the SSOC from the first server) 

Concept 1 (novel use of browser as 'data delivery agent") 

. „sin c broker as an acent tn deliver data (identical, or mod-fied) from one server to another, with no 

direct server-server communications For example. : browser, served - browser. server2. . browse.. 

scrvei n (Optionally finish up anhe browser also.) 
. differs from the conventional use of a browser (a* master) acquiring data from a server. Also 

conventionally data acquired is not automatically forwarded to another server Prior art includes a 

browser "posting- data to a server, e.g when 3 User fills out a form, but then *e browser delivers data 

the user has entered (vs. data received from another server). 
- either done transparent to end-user, or by presenting a cho-ce tn browser user rc: whether to allow use 

of browser for slave action. The latter may be better depending on the application/data and issues 0 e 

privacy feeling of being in control from a consumei perspective) 

• specific case oT HT TP data can be transferred as a parameter m a GET. or content in a POST 

•Concept 2 (specifically, us.nii communications protocol like HTTP to distribute SSOC) 

. App. oach I . pre-storc information at the servers, specifying a "next server * in a virtual list. (Perhaps 

more secure but harde. to update the list and/or add server components ) 
. Appioach 2a: information sent to the set ver includes an ordered list (e g |a.b-cd]) of servers to v.srt A 

given server finds itself in the list. <md causes browser to visit next server in list (sending list along). 

• Approach 2h optimize Approach 2a hyscndin 5 nn only the un-uscd tail end of the list. ^_ 

•Note 2o and 2b seem better than I if the servers are not maintained by one company (see the wr.te- 7 
once-shoo-anywhere example). No harm in mentioning both in the patent application. 

•Concept 3 (more broadly, converting master-slave tn slave-master) 

• method tn turn master-slave protocol into slave-master, without changing the protocol. For example, 
novel use of existing 1 ITTp protocol so browser becomes slave to the server and follows server 
commands (beyond simple pnor-art use of re-dircct) 

• other examples tw 0 - Wa y-pager and network base station, handheld communications device and 

network server. , 
. consider a Pa lwP.lot or RIM two-way pager being used to transmit data from serverl to server2. where 
privnev laws piecludc serverl from directly communicating to servcr2: this might also be necessary for 
some strange leeal reasons, e g. for h.storical laws to hold m cyberspace a direct contractual 
relationship may need to be established between end-user and each site 
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Visit our Web site at: www.entrust.com 



Phone: 
Facsimile: 

Date-. 



23 2 £ 



Company: 



Pages to Follow: 



Message 




Entnist ^chnc^ogies J^^^^^ 7 ^ 9 ^^^ or ^ * -hich it i s addressed and ^ 
This facsimile transmission is mteml«i omy rar uic ^ « » « j meS5a ge is not the intended recipient. 

™ ^S^dSSbSn V™o P yu»gof this communication is stricdy prohibited. If you have receded this 
S^rSln TrS. please noUfy us immediately by telephone to arrange For its return. Thank you. 
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